Which Is Right For You, and Why?
When businesses, healthcare providers, educational institutions, and government agencies hire us to perform penetration testing, our experienced consultants recommend the type of penetration testing (“pen tests”) to be conducted based on our conversations with the clients.
We thought that some of you might be interested in learning about the three different types of pen tests and when each one is most appropriate. (If, on the other hand, you’re looking for content that’s a little edgier, please read our post on “The Dark Magic of the Deepfake.”)
Now, let’s have a quick look at why you should have a pen test regularly. Bear in mind that external and internal pen tests are individual components of an overall security risk assessment, which is required by many security regulations, and also makes good business sense.
Benefits of Penetration Testing for Any Organization
Penetration testers are basically white hat hackers. Their job is to emulate the bad guys by attempting to find ways into your network in order to discover security gaps. As such, they acquire a unique perspective on your organization’s IT defenses that routine, automated vulnerability scans cannot.
Modern vulnerability scanners continue to improve and can detect myriad vulnerabilities in known systems. But they can miss vulnerabilities that are specific to a business. A skilled pen tester will employ a range of automated tools and augment them with real-world experience, training, and braining to achieve a comprehensive view of your unique organization.
Holistic, Contextual View
It’s not uncommon for security weaknesses to be greater than the sum of their parts when exploited in a particular sequence by a savvy attacker. Together, they can pose a considerable risk to your organization. An experienced pen tester has the human ability to connect the dots and to understand individual vulnerabilities in a larger context.
The product of any professional penetration test is a report of findings and recommendations for remediation. Automated scanning tools may suggest general solutions, but a report written by an experienced pen tester will describe remedial actions your organization can take to address its specific security gaps.
If you’re interested in delving a little deeper, this article looks at the pros and cons of penetration testing.
The Three Types of Pen Tests
Now that we know the benefits of conducting regular penetration testing of our networks, let’s learn more about the three types of pen tests and the value of each type. (Note: Similar testing is also available for software applications, websites, and other organizational assets.)
Penetration tests, are classified according to (1) how much organizational information is shared with the pen tester at the outset of the assignment, and (2) the level of access the pen tester is granted in order to conduct the testing. These classifications are coded as white, black, or gray box testing.
White Box Testing
White box testing refers to the granting of full access to conduct the pen test, and the sharing of complete network and system architecture documentation, network maps, source code, user roles, and any other documentation that may be useful in planning the pen test and analyzing the findings.
Downside. The downside of white box testing is that the pen tester must deal with reams of data, provided by the client, to enable the pen tester to identify possible weaknesses or security gaps requiring specific testing. It’s a time-consuming process. It also gives the pen tester an unrealistic advantage over a normal hacker or cybercriminal, who would not have access to so much internal information and whose behavior would not be influenced by that knowledge.
Upside. The upside to white box testing sometimes called clear box or open box testing is that it delivers a thorough assessment of both internal and external vulnerabilities, which is vital to a comprehensive penetration test.
While external penetration testing targets the assets that are visible on the Internet (such as DNS, email, or company website), internal penetration testing is equally important because it concentrates on the LAN and various intelligent devices connected to it. Internal testing can help detect malicious or negligent insider activities as well as evidence of criminal hackers who may have embedded in the network.
Requirements. Conducting white box testing requires skillful use of dynamic analysis tools, source code analyzers, and other analytical techniques. White box pen testers combine years of hands-on experience with professional training and certification.
Deliverables. White box testing will deliver a comprehensive report of findings and remediation recommendations that may be prioritized by severity to help guide timely client action.
Black Box Testing
Black box testing is the opposite of white box testing. In this scenario, the pen tester behaves like a typical hacker in that he or she has no deep knowledge of the network to be tested. The only documentation that is publicly available (such as user manuals or vendor software documentation) is shared with the pen tester. It is probably the most realistic of the three testing scenarios since most hackers have no knowledge of the inner workings of a network as they plan their attack on it—unless they have breached the network and are embedded in it.
Downside. The downside of black box testing is that it enables only external penetration testing, which detects vulnerabilities that can be exploited from outside the client network. It does not accommodate internal penetration testing, which provides a deeper look into the network to discover vulnerabilities that can be exploited from within (as would happen with a sophisticated hacker or a malicious insider). If the penetration tester is unable to breach the perimeter, he or she will not be able to discover—or to remedy—any vulnerabilities associated with internal services or systems.
Upside. The upside to black box testing is that it is faster to perform since there is less documentation to pore through and only external testing to be completed. The speed with which the tester is able to detect and exploit vulnerabilities in a network’s external-facing services also influences the duration of the testing.
Requirements. Conducting black box testing requires the pen tester to diagram a map of the client network on his or her own, based on their test preparation work. Black box testing uses dynamic analyses of programs and systems that are currently running on the network. Testers must be able to combine the use of automated scanning tools with manual testing techniques.
Deliverables. A report of findings and remedies is delivered within the scope of the black box test.
Gray Box Testing
As the name implies, gray box testing is a hybrid that blends the best elements of white and black box testing to achieve actionable results in optimal time. Gray box testers usually have some degree of internal network knowledge, including a current network map or system architecture documentation, and have been granted internal access to the network.
Downside. The downside to gray box testing is that it is a bit more time-consuming than basic black box testing, but the upside is significant.
Upside. Because they have been provided with some internal network documentation, pen testers can target the highest-value and most risky elements of the network from the outset, without wasting time wandering through the network to collect information. This adds scale and value to the testing.
In addition, having internal access to the network enables them to test inside the perimeter, thereby imitating a hacker who has enjoyed access to the network for some period of time. Numerous cyberattacks have been perpetrated by embedded hackers, creating significantly more damage than a quick hit-and-run attack.
Deliverables. Conducting gray box testing will yield a more extensive report of findings and remediation recommendations than black box testing since it will include internal as well as external penetration testing.
Which Is Right For You?
As we have noted, both internal and external testing are necessary elements of a thorough security risk assessment. White box and gray box testing support these two elements.
If your organization has not undergone an extensive security assessment in several years, a white box testing scenario is a smart move. It can be followed with periodic external scans, or black box testing, in a security maintenance program.
For organizations desiring solid testing in an efficient timeframe, gray box testing may be a good strategy. Before you decide on your own, we invite you to consult with our penetration testing experts to determine which approach makes the most sense for your specific circumstances.
Where to Learn More
Anyone desiring to learn more about penetration testing, including becoming certified in this skill, is encouraged to visit the Infosec Institute, an excellent resource for information security professionals. Special thanks to Infosec for supplying key content for this article.
EC-Council is also an excellent resource, offering a Certified Ethical Hacker credential that is ideal for professional pen testers who serve as white hats or ethical hackers.
Penetration testing, including both internal and external testing, is a vital component of a thorough security risk assessment. Three types of pen tests are white box, black box, and gray box testing, and each has particular advantages.
An ongoing network security program might employ all three types of testing over a period of several years or more. Before deciding which type of testing is right for you at any given time, we recommend consulting with a professional penetration tester to ensure you derive the greatest value from pen testing in your current state. At 24By7Security, our credentials include Certified Ethical Hacker certification from EC-Council.